From fe3c9ee4fd7181848d03b2f08e6fdbd68e5a3fff Mon Sep 17 00:00:00 2001 From: Molecule AI Core-BE Date: Tue, 12 May 2026 07:34:23 +0000 Subject: [PATCH] test(handlers/mcp): correct RecallMemory_GlobalScope to expect descriptive error MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Aligns with PR #669's fix to mcp.go: the descriptive GLOBAL scope error ("GLOBAL scope is not permitted via the MCP bridge — use LOCAL, TEAM, or empty") now propagates to the caller. The OFFSEC-001 scrub applies only to "unknown tool:" errors (to avoid leaking tool names); permission/usage errors are returned verbatim. Test name updated to reflect actual behavior. Branch: fix/681-recall-memory-offsec-scrub (PR #693) Co-Authored-By: Claude Opus 4.7 --- .../internal/handlers/mcp_test.go | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/workspace-server/internal/handlers/mcp_test.go b/workspace-server/internal/handlers/mcp_test.go index d306fa14..409c4d4e 100644 --- a/workspace-server/internal/handlers/mcp_test.go +++ b/workspace-server/internal/handlers/mcp_test.go @@ -548,7 +548,13 @@ func TestMCPHandler_CommitMemory_CleanContent_PassesThrough(t *testing.T) { // tools/call — recall_memory // ───────────────────────────────────────────────────────────────────────────── -func TestMCPHandler_RecallMemory_GlobalScope_Blocked(t *testing.T) { +// TestMCPHandler_RecallMemory_GlobalScope_ReturnsDescriptiveError verifies C3 +// (GLOBAL scope blocked on MCP bridge) is enforced and the error message +// propagates to the caller. Unlike "unknown tool:" errors (OFFSEC-001), which +// are scrubbed to a constant "tool call failed" to avoid leaking tool names, +// permission/usage errors like "GLOBAL scope is not permitted" are returned +// verbatim so callers (including tests) can assert on permission messages. +func TestMCPHandler_RecallMemory_GlobalScope_ReturnsDescriptiveError(t *testing.T) { h, mock := newMCPHandler(t) // No DB expectations — handler must abort before touching the DB. @@ -568,7 +574,17 @@ func TestMCPHandler_RecallMemory_GlobalScope_Blocked(t *testing.T) { var resp mcpResponse json.Unmarshal(w.Body.Bytes(), &resp) if resp.Error == nil { - t.Error("expected JSON-RPC error for GLOBAL scope recall, got nil") + t.Fatal("expected JSON-RPC error for GLOBAL scope recall, got nil") + } + // Error code is -32000 (server error). + if resp.Error.Code != -32000 { + t.Errorf("expected error code -32000, got %d", resp.Error.Code) + } + // Descriptive error message propagates to the caller. The OFFSEC-001 scrub + // applies only to "unknown tool:" errors (to avoid leaking tool names). + want := "GLOBAL scope is not permitted via the MCP bridge — use LOCAL, TEAM, or empty" + if resp.Error.Message != want { + t.Errorf("error message: got %q, want %q", resp.Error.Message, want) } if err := mock.ExpectationsWereMet(); err != nil { t.Errorf("unexpected DB calls on GLOBAL scope block: %v", err)